[SECURITY] Fix Secret Leakage via Environment Variables (CVSS 9.3) #58

Merged

allegro merged 1 commits from security/fix-secret-leakage into main

2026-03-30 23:43:03 +00:00

Author	SHA1	Message	Date
Allegro	08abea4905	security: fix secret leakage via whitelist-only env vars (CVSS 9.3) Some checks failed Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 32s Details Tests / test (pull_request) Failing after 30s Details Docker Build and Publish / build-and-push (pull_request) Failing after 55s Details Replace blacklist approach with explicit whitelist for child process environment variables to prevent secret exfiltration via creative naming. Changes: - tools/code_execution_tool.py: Implement _ALLOWED_ENV_VARS frozenset - Only pass explicitly listed env vars to sandboxed child processes - Drop all other variables silently to prevent credential theft Fixes CWE-526: Exposure of Sensitive Information to an Unauthorized Actor CVSS: 9.3 (Critical) Refs: V-003 in SECURITY_AUDIT_REPORT.md	2026-03-30 23:42:43 +00:00

Author

SHA1

Message

Date

Allegro

08abea4905

security: fix secret leakage via whitelist-only env vars (CVSS 9.3)

Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 32s

Details

Tests / test (pull_request) Failing after 30s

Details

Docker Build and Publish / build-and-push (pull_request) Failing after 55s

Details

Replace blacklist approach with explicit whitelist for child process
environment variables to prevent secret exfiltration via creative naming.

Changes:
- tools/code_execution_tool.py: Implement _ALLOWED_ENV_VARS frozenset
- Only pass explicitly listed env vars to sandboxed child processes
- Drop all other variables silently to prevent credential theft

Fixes CWE-526: Exposure of Sensitive Information to an Unauthorized Actor

CVSS: 9.3 (Critical)
Refs: V-003 in SECURITY_AUDIT_REPORT.md

2026-03-30 23:42:43 +00:00

[SECURITY] Fix Secret Leakage via Environment Variables (CVSS 9.3) #58

1 Commits